Secure projects airgapped / offline
Investigate and implement testing secure projects in an airgapped/offline fashion
Possibly as a separate branch?
After investigation (eg. can iptables be called as a before_script
prior to running child pipeline?), it appears that separate branch eg. offline-FREEZE
seems the best solution.
Pros:
- Will run automatically as part of the existing secure test orchestrator runs
- Proves out airgapped functionality on a per job basis
Cons:
-
Will need maintained and updated
-
There are a lot of projects to get through
-
https://gitlab.com/gitlab-org/security-products/tests/apex-salesforce -
https://gitlab.com/gitlab-org/security-products/tests/big-node-js - nodejs-scan
no longer root but themaster
andno-dind
pipeline bases are failing -
https://gitlab.com/gitlab-org/security-products/tests/c-conan -
https://gitlab.com/gitlab-org/security-products/tests/cplusplus -
https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject -
https://gitlab.com/gitlab-org/security-products/tests/csharp-nuget-dotnetcore - issues with license scanning showing different results - gitlab-org/security-products/tests/csharp-nuget-dotnetcore#1 (closed) -
https://gitlab.com/gitlab-org/security-products/tests/dast-e2e - DAST scan as non root user - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 -
https://gitlab.com/gitlab-org/security-products/tests/elixir-phoenix-umbrella - n/a no pipeline to run -
https://gitlab.com/gitlab-org/security-products/tests/elixir-phoenix -
https://gitlab.com/gitlab-org/security-products/tests/go-modules - issues with license scanning showing different results - gitlab-org/security-products/tests/go-modules#1 (closed) -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle-kotlin-dsl -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle-multimodules -
https://gitlab.com/gitlab-org/security-products/tests/java-groovy -
https://gitlab.com/gitlab-org/security-products/tests/java-maven -
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules -
https://gitlab.com/gitlab-org/security-products/tests/js - eslint uses non root user - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 -
https://gitlab.com/gitlab-org/security-products/tests/js-bower - license scanning "details": "fatal: unable to look up github.com (port 9418) (Temporary failure in name resolution)\n",
- gitlab-org/security-products/tests/js-bower#1 (closed) -
https://gitlab.com/gitlab-org/security-products/tests/js-npm -
https://gitlab.com/gitlab-org/security-products/tests/js-yarn -
https://gitlab.com/gitlab-org/security-products/tests/node-js-disable-babel - nose-js scanner uses non root user - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 -
https://gitlab.com/gitlab-org/security-products/tests/php-composer - php scanner has non root user - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 -
https://gitlab.com/gitlab-org/security-products/tests/python-pip -
https://gitlab.com/gitlab-org/security-products/tests/python-pipenv - pipenv wants to re-install from repo every time - workaround detailed in issue gitlab-org/gitlab#268038 (closed) -
https://gitlab.com/gitlab-org/security-products/tests/python-poetry - for some reason saying invalid CI yaml, when yaml is correct - gitlab-org/security-products/tests/python-poetry#1 (closed) -
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler -
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler-rails -
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler_js-yarn - Dependency scanning only! -
https://gitlab.com/gitlab-org/security-products/tests/rust-cargo - License scanning only -
https://gitlab.com/gitlab-org/security-products/tests/sast - n/a Archived project -
https://gitlab.com/gitlab-org/security-products/tests/scala-sbt -
https://gitlab.com/gitlab-org/security-products/tests/secrets -
https://gitlab.com/gitlab-org/security-products/tests/typescript-yarn - - eslint uses non root user - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 -
https://gitlab.com/gitlab-org/security-products/tests/webgoat - pushed out to https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/672 -
https://gitlab.com/gitlab-org/security-products/tests/webgoat.net - Parked as there are 3 scanners - ESLint (non-root cannot install iptables https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/695 ), License Compliance (reaches out to get license info), Security Scan (silently fails)